A new, more dangerous variant of "MAC Defender," dubbed "Mac Guard," has been discovered, and the new malware does not require an administrator password to install.

The discovery was announced on Wednesday by security firm Intego. Unlike previous versions of the software, which required users to enter an administrator password to install the fake antivirus, the latest variant uses a different install method.

"The first part is a downloader, a tool that, after installation, downloads a payload from a web server," the security firm said. "As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site."

No administrator's password is required to install the application, and if users have Safari's "Open 'safe' files after downloading option checked, the package will open Apple's Mac OS X installer, and users will see a standard installation screen. However, at this point users must still agree to install the "MAC Defender" malware.

The second part of the malware is a new version called "MacGuard." The avRunner application automatically downloads "MacGuard," which, like its predecessor, aims to trick users into providing credit card numbers in exchange for supposedly ridding a users' systems of "infected" files.

This week, Apple posted instructions on its website explaining how to remove the "MAC Defender" malware. The company also revealed it will release an update to its Mac OS X operating system that will automatically find and remove the malware.

Some reports have suggested that the "MAC Defender" malware has spread quickly, with one anonymous AppleCare representative claiming that the "overwhelming majority" of recent calls to Apple were related to the malware. The software was first discovered early this month, also by Intego.

While the original variant was categorized as a "low" threat because it requires users to type in an administrator password, the latest version is considered more dangerous, and was ranked with a "medium" risk.

The malware has spread through search engines like Google via a method known as "SEO poisoning." Using this technique, phony sites are designed to game search engine algorithms and show up when users search for certain topics.

I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.

Yeah, installing a trojan horse bit of nagware is only an "attack" in the mind of Ed Bott. The ability to load software limited to the current admin user is also not a "dangerous" new development. The user has to be an ADMIN who is PURPOSELY INSTALLING SCARE-WARE from an unknown source.

True, attacking the intelligence of the end user, the weaklings amongst them will provide the card details too. Press nowadays all about click, the loudest and fastest but little is paid for reputation, accuracy and responsibility.

OTH, they who made this nuisances wouldn't go far with OSX with this kind of approach especially when it is now a well publicised issue of which Apple already post a solution.

and it makes me wonder why people click "OK" to begin with. I mean seriously. I've seen macdefender ads all over. It's a classic scam, why would anyone think it is in fact ok?

Because users trust their Apple products. They have been told that no matter what, there is no malware written for their computers. So, clicking "Okay" can't harm them, right? Because that's what Apple said.

(What I don't get, is why people are downloading an AV program for an OS that touts it not needing one. Ironic.)

hive mind thinking, perpetuated by some advocates of Apple products, that Mac OS X doesn't suffer from malicious software is dangerous. the ignorance and arrogance, on the part of the advocates, is also unfortunate.

I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.

I wish some people would stop using the word attack to describe this too.

Sorry, could not resist.

NoahJ"It is unwise to be too sure of one's own wisdom. It is healthy to be reminded that the strongest might weaken and the wisest might err." - Mahatma Gandhi

I wish the press would stop using words like "virus" and "attack". The software doesn't attack anything (other then the intelligence of those who install it) and it is not a virus nor is it a trojan. It's a phishing attack, a software con artist that depends on users making at least one conscious decision to actually install the thing onto their systems.

Um, see anything ironic about the parts I highlighted? And you are simply mincing words anyway. It's a threat. And the people who are most like to be victims don't know or care about the technical distinction you are trying to make. In my book, if someone lays out landmines hoping I'll step on one, I'd call that an attack.

The article left out one critical piece of info...the no password version only works if you are logged in as an admin account. From the Intego article:

Quote:

Since any user with an administrators account the default if there is just one user on a Mac can install software in the Applications folder, a password is not needed.

This is an area I think Apple would do well to better educate their customers. The difference between admin and non-admin accounts. And they should encourage users to not use admin accounts for anything other than administering their computers. And use non-Admin accounts for regular, daily use. It's not fool-proof, but it ensures that the user will be asked for a password, and one that's different from their normal daily login password (hopefully). And that will be one more chance for the person to stop and think about what they are doing.

Would anyone download an unknown, untested, un-vouched-for "defender" or "guard" or anything else for that matter, but especially something that claims to be a defender, guard, etc....?

Because 99% of typical users are completely naive. They are not stupid people but they are ignorant of the risks and will click on just about anything. It's a reflex action almost. This, unfortunately, is more typical of Mac users because they have been duped into believing nothing can touch OS X. I have finally convinced other family members to not respond to any emails requesting personal information or asking them to "verify" their account.

"not even a problem, just a stupidity filter" - when the same thing happens on Mac

No, a virus attack is when you browse the web on a Windows PC and your machine becomes unusable because all this crap has installed itself and taken over your computer. The only workaround is installing and maintaining AV software, which takes a hit on performance and RAM.

Those kinds of issues are simply not there on Macs. No matter how much you try to suggest that some fake scam app is viral or dangerous or malicious (all it does is try to make you pay for it) the reality is that this thing does not damage your Mac and is trivial to remove.

Many PC users give up and buy a new machine after getting loaded down with adware/spyware and viruses, which are a plague on Windows. Trying to suggest Macs and Windows PCs are in the same boat is simply lying.

It's certainly possible that somebody could invest the efforts to target 10% of the market with virulent, damaging attacks, but that hasn't happened yet and there's not really a business model supporting that rather than targeting the low hanging fruit of the 90% installed base of Windows, most of which is unpatched and already has functional exploits written for it. And Apple can shut down attacks pretty rapidly, making all the effort of targeting the Mac that much less rewarding.

Comparing the virus situation on Windows with Macs is like comparing a meth-injecting homeless prostitute with open skin wounds to a newborn baby being raised by a Stepford housewife, and suggesting that the baby is in the same grave danger of getting lethal health problems because someday it will grow up perhaps it will begin smoking. Absolute nuttery.

Ironically, it's the myth of immunity that gives so many Mac users the confidence to download anything they come across on the web - "Hey, I keep hearing that Mac has no viruses, so what could go wrong?"

This isn't classified as a virus.
Nothing will go wrong if you don't agree to install this malware.

Would anyone download an unknown, untested, un-vouched-for "defender" or "guard" or anything else for that matter, but especially something that claims to be a defender, guard, etc....?

There are tons of numpties out there. They google "free Mac antivirus" and implicitly trust whatever google search throws up. They probably also click on banner ads proclaiming them a winner for being the millionth person to visit a site. Before using any web service for the first time I, at the very least, google "servicename + scam".

That's not to say it's not Apple's responsibilty. I hope this is another area they take the lead, unlike Microsoft, which allowed an entire industry of antivirus software companies to write the viruses that scared people into paying for their software. The curated app store is a good first step.

But ultimately people need to think of the Internet as the wild west, not a shopping mall.

... and Apple's decision is that the setup process creates a user that is an admin account.

Apple can make the setup process do anything they want but they have chosen the most dangerous option.

I want Apple to be out there showing how good IT is done, but they are not doing it.

They should be proactive, not reactive. There is a lot they can do to reduce these problems.

I agree with this. I think Apple has this in mind too because I think I read it somewhere as a feature of Lion. I use a admin account on my single user Mac setup. I am safe. I'm paranoid about security. I use 1Password's keychain and not Apples. It locks itself by default. You can keep it open for a period of time, if you want too. I use Little Snitch too. However 1PWD is browser wide. Apple's keychain can also be locked system wide but its not elegant. I use other security measures like sand-boxing all downloads to the DL folder where ClamXav monitors this folder on the fly. I think you'll see a much better solution for this in Lion, where no one runs in admin mode. There is really no need to run in admin mode. That said, whatever Apple does won't protect those gullible people. They will give their password and the kitchen sink too.

No, a virus attack is when you browse the web on a Windows PC and your machine becomes unusable because all this crap has installed itself and taken over your computer. The only workaround is installing and maintaining AV software, which takes a hit on performance and RAM.

Wrong on all accounts

1. A virus doesn't come from any and every web browsing on a PC. In fact if you use any browser EXCEPT for Internet explorer, your pretty much safe.

2. A virus doesn't always render a PC useless. Quite the opposite. Many times a PC will continue to function as it always has with the only programs having trouble are programs capable of dealing with the virus in some way. Keyloggers are famous for this.

3. AV software is NOT the ONLY workaround if you think this then you sir are incredibly naive. Most of these viruses can be found via program file search or even re-booting under safe mode and locating the file there to which one can promptly delete. Is it easy? Most of the time yes. Other times it requires extensive work but EVERY virus on windows can do 2 things:

[QUOTE=camroidv27;1869857]Because users trust their Apple products. They have been told that no matter what, there is no malware written for their computers. So, clicking "Okay" can't harm them, right? Because that's what Apple said.

While Windows users are susceptible to phishing attacks such as this, they have also been historically susceptible to a legion of viruses and other malware that do not require the user to 1) allow the installation of an unknown program and 2) enter an admin password.

Didn't they say in the ads that there are no viruses or spyware for macs? I distinctly heard that.
True a Trojan isn't a computer virus by definition, so I'll give you that one. But, when you are advertising to the general public, most don't know the difference between a Virus, Worm, or Trojan, or Spyware, or Malware, or any of the other kinds I didn't list. Its that general public who have been downloading the Mac Defender in the first place, not people who visit sites like this.

[EDIT] Just saw the post above with the web page. Nice find. Clearly states, its not 100%. Does it say that Macs are Secure... Yes. Are they? Not as much as the general public perceives it to be. Hence, the problem. Apple says its secure, so people trust it.

Because users trust their Apple products. They have been told that no matter what, there is no malware written for their computers. So, clicking "Okay" can't harm them, right? Because that's what Apple said.

Can you point us to any examples of Apple saying this?

They come really close to that statement in the very first paragraph here: